Project ZeroGoogle’s internal security team, revealed a series of zero-day vulnerabilities in Samsung Exynos modems. They, as they describe, allow you to take full control of a device without the owner having to perform any specific action. In fact, it is enough to know the telephone number to control it remotely.
From Project Zero they detail that, in total, there are 18 zero-day vulnerabilities found in Samsung Exynos modems. However, there are only 4 that allow remote code execution. As long as, of course, the terminal is connected to the internet.
The security flaw, obviously, is quite worrisome. Above all because there is no need for the user to perform any interaction to start the attack.
We are used to hearing stories of computer attacks in which users, through an oversight, collaborate to “open the door” of a mobile or computer. In this case, however, everything can be done from the shadows. A hacker could take control of a smartphone—with Samsung Exynos modems—by knowing the victim’s phone number.
“Testing by Project Zero confirms that these four vulnerabilities allow an attacker to remotely compromise a phone at the baseband level without user interaction, and the attacker only needs to know the victim’s phone number. With additional research and development, we believe skilled attackers could quickly create an exploit to silently and remotely compromise affected devices.”
Mobile phones with Samsung Exynos modems that are in danger
Project Zero mentions that it reported the vulnerabilities in Samsung Exynos modems between the end of 2022 and the beginning of this year. The problem is that not all manufacturers have offered an upgrade that solves the problem.
For this reason, the Google security team recommends turn off voice services over WiFi and LTE. “In the meantime, users with affected devices can protect themselves from remote code execution vulnerabilities by disabling Wi-Fi calling and Voice-over-LTE (VoLTE) in their device settings,” they explain.
The list of devices with Samsung Exynos modems that are at risk includes smartphones, wearables, and even vehicles:
- Samsung: S22, M33, M13, M12, A71, A53, A33, A21, A13, A12 and A04;
- I live: S16, S15, S6, X70, X60 and X30.
- Google: Pixel 6 and Pixel 7.
- Any wearable with Exynos W920 chip.
- Cars with the Exynos Auto T5123.
According to their report, Google already released a security patch during March to protect affected Pixels. So, if you have a smartphone signed by Mountain View, update to the latest version as soon as possible. Of the rest of the manufacturers mentioned, unfortunately, there is no news. It is likely that they will speak publicly soon to address the issue.
It is standard practice for Project Zero to disclose how vulnerabilities work 90 days after reporting them to affected vendors. In this case, however, they still don’t explain the four key flaws that allow remote code to be run. The reason? First they want to make sure that companies release the necessary security patches. Otherwise, they could benefit the activity of hackers.